Having cyber insurance cover can help businesses handle data breaches, says expert

Out-Law Analysis | 17 Feb 2017 | 4:09 pm | 3 min. read

ANALYSIS: Businesses that take out dedicated cyber insurance cover are often well placed to respond to data breach or cybersecurity incidents effectively.

The cyber insurance market in the UK is still relatively nascent, but forthcoming changes to EU legislation, including the introduction of the EU General Data Protection Regulation (GDPR), could spur significant growth.

Those that buy cyber insurance policies may not only find that the costs of a cyber event are covered by their insurer, but that the cover gives them access to a range of cyber experts who can help them manage and respond to breaches or incidents.

Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series.

We previously looked at which people are typically behind cybersecurity breaches and the methods they usewhat the common vulnerabilities are and what good IT security looks like, and how the legal landscape and regulatory fines are changing. We have also assessed the rising threat of ransomware and looked at how businesses may be able to seek protection afforded by legal professional privilege, and what they need to consider when working with criminal authorities, as well as the advantages of engaging credit monitoring after a breach. Here we look at the potential benefits of taking out cyber insurance.

What is cyber insurance?

Cyber insurance in its most developed form is a specialist insurance product that offers cover for cyber, data and information based risks including data breaches.

It is currently offered by a limited number of insurers in the UK. A recent PwC report estimated the global cyber market would double to $5 billion in annual premiums by 2018 and treble to at least $7.5 billion by 2020.

The common consensus is that legal and regulatory developments will drive the UK and European cyber insurance markets, including the GDPR. However, it remains to be seen if those reforms will be the 'silver bullet' for driving cyber insurance sales. 

What is covered?

There are two main benefits to cyber insurance. First, it offers a financial indemnity for risk which is unlikely to be covered by existing insurance products; and second, it provides access to an established panel of specialist third party experts, often at discounted rates. For example, the experts could include specialists in IT forensics, law firms and providers of credit monitoring services.

Broadly, there are two main areas of cover: first party and third party covers.

First party cover includes:

  • Breach response costs such as IT forensics to investigate a data breach and breach notification costs.
  • Cyber business interruption losses
  • Costs incurred to repair IT systems damage caused by a hacker and
  • Cyber extortion such as ransom demands

Third party cover includes:

  • Claims by third parties, such as customers or staff
  • Dealing with regulatory investigations, such as those carried out by the Information Commissioner's Office (ICO) or Financial Conduct Authority (FCA), and
  • For retailers subject to PCI-DSS (Payment Card Industry Data Security Standards), PCI charges or penalties levied following a data breach

However, businesses need to look out for exclusions relating, for example, to terrorism and cyber-crime, such as 'Friday frauds'.

Who buys cyber insurance, how much does it cost, and where can I buy it?

Cyber insurance has been popular among retailers, healthcare providers, financial services companies, technology companies and those in the hospitality sector, amongst others.

In the UK technology sector, it is increasingly common for customers to require IT suppliers to warrant that cyber insurance will be put in place.

In terms of cost, premiums will vary depending on the insured’s turnover, sector and the type, volume and sensitivity of data processed. Generally speaking, companies operating in the financial services and energy sectors, such as banks and energy providers, are considered higher risk. It is a soft market in the UK, which is not yet commoditised, so rates are competitive.

As to distribution models, depending on the premium level, cyber insurance can be bought directly from insurers or via insurance brokers.   

Ian Birdsey is a specialist in cyber risk and insurance at Pinsent Masons, the law firm behind Out-Law.com.